If you have SSH open toward the Internet, you are surely aware of the number of brute force password attempts your server sees everyday. Although a good password policy may make these attempts nothing more than an annoyance, each connection to your SSH daemon takes up valuable server resources. I was tired of seeing thousands of password attempts every day, and decided to limit the rate at which hosts could connect to my SSH daemon using iptables
.
I use RHEL5, so I added the following lines to /etc/sysconfig/iptables
:
-A RH-Firewall-1-INPUT -m state --state NEW -m recent -p tcp --dport 22 --set
-A RH-Firewall-1-INPUT -m state --state NEW -m recent -p tcp --dport 22 --update --seconds 60 --hitcount 4 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
The first line sets up the session tracking. The second line, tells iptables
that if it receives 4 or more connection attempts within a 60 second window to drop the packet. Finally, the third line allows incoming SSH attempts should they not meet the drop criteria. This line is vital, but easy to overlook.
After saving the file, service iptables restart
will restart iptables
with the new changes. You can see your new ACL at work with the following command:
# iptables -L -v
pkts bytes target prot opt in out source destination
<snip>
24 1368 tcp -- any any anywhere anywhere state NEW recent: SET name: DEFAULT side: source tcp dpt:ssh
14 756 DROP tcp -- any any anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source tcp dpt:ssh
10 612 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
As you can see, my server has already dropped 14 incoming connections because they were coming too frequently.
You can find more information on this concept at MNX Solutions and HostingFu.
As it stands, those rules enable a very easy denial of service attack if I can guess your home IP address.
I have always just gone with a change of port number for SSH. Just don't pick a port that gets brute force attacks aimed at another protocol.
Dave -
You're right about the possibility of a DoS. The solution to that problem is to create rules before the DROP rule that account for any IPs that should be allowed unlimited sessions.
That being said, if someone is specifically targeting you, it seems likely they'll find the port you've moved SSH to. So that system has its drawbacks, too.
Thanks for commenting!
[...] the past, I've written about the usefulness of using iptables to limit incoming SSH connections. Although it isn't a replacement for a good password policy, it at least limits the ability of [...]